01.
In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:
A. connectionless integrity.
B. data origin authentication.
C. antireplay service.
D. confidentiality.
Explanation:
Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.
02.
An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks?
A. Denial-of-service
B. Replay
C. Social engineering
D. Buffer overflow
Explanation:
Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end- uservulnerabilities , and buffer overflow attacks exploit poorly written code.
03.
Which of the following encryption techniques will BEST protect a wireless network from a man-in- the-middle attack?
A. 128-bit wired equivalent privacy (WEP)
B. MAC-basedpre-sharedkey(PSK)
C. Randomly generated pre-shared key (PSKJ)
D. Alphanumeric service set identifier (SSID)
Explanation:
A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.
04.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?
A. Certificate revocation list (CRL)
B. Certification practice statement (CPS)
C. Certificate policy (CP)
D. PKI disclosure statement (PDS)
Explanation:
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items.such as the warranties, limitations and obligations that legally bind each party.
05.
An IS auditor reviewing access controls for a client-server environment should FIRST:
A. evaluate the encryption technique.
B. identify the network access points.
C. review the identity management system.
D. review the application level access controls.
Explanation:
A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network accesspoints should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.
6.
To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the TCP connection.
D. dynamic routing is used instead of static routing.
Explanation:
IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing (choice D). Choices B and C do not have any relation to IP spoofing attacks. If a packet has a broadcast destination address (choice B), it will be sent to all addresses in the subnet. Turning on the reset flag (RST) (choice C) is part of the normal procedure to end a TCP connection.
7.
To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:
A. Secure Shell (SSH-2) tunnel for the duration of the problem.
B. two-factor authentication mechanism for network access.
C. dial-in access.
D. virtual private network (VPN) account for the duration of the vendor support contract.
Explanation:
For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve thesame level of security as SSH-2.
8.
What is the BEST approach to mitigate the risk of a phishing attack?
A. implement an intrusion detection system (IDS)
B. Assess web site security
C. Strong authentication
D. User education
Explanation:
Phishing attacks can be mounted in various ways; intrusion detection systems (IDSs) and strong authentication cannot mitigate most types of phishing attacks. Assessing web site security does not mitigate the risk. Phishing uses a server masqueradingas a legitimate server. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pagesand e-mail.
9.
A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the:
A. date and time stamp of the message.
B. identity of the originating computer.
C. confidentiality of the message’s content.
D. authenticity of the sender.
Explanation:
The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and,therefore , does not assure confidentiality.
10.
The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:
A. outgoing traffic with IP source addressesexterna! to the network.
B. incoming traffic with discernible spoofed IP source addresses.
C. incoming traffic with IP options set. D. incoming traffic to critical hosts.
Explanation:
Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.
In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:
A. connectionless integrity.
B. data origin authentication.
C. antireplay service.
D. confidentiality.
Explanation:
Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.
02.
An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks?
A. Denial-of-service
B. Replay
C. Social engineering
D. Buffer overflow
Explanation:
Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end- uservulnerabilities , and buffer overflow attacks exploit poorly written code.
03.
Which of the following encryption techniques will BEST protect a wireless network from a man-in- the-middle attack?
A. 128-bit wired equivalent privacy (WEP)
B. MAC-basedpre-sharedkey(PSK)
C. Randomly generated pre-shared key (PSKJ)
D. Alphanumeric service set identifier (SSID)
Explanation:
A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.
04.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?
A. Certificate revocation list (CRL)
B. Certification practice statement (CPS)
C. Certificate policy (CP)
D. PKI disclosure statement (PDS)
Explanation:
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items.such as the warranties, limitations and obligations that legally bind each party.
05.
An IS auditor reviewing access controls for a client-server environment should FIRST:
A. evaluate the encryption technique.
B. identify the network access points.
C. review the identity management system.
D. review the application level access controls.
Explanation:
A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network accesspoints should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.
6.
To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the TCP connection.
D. dynamic routing is used instead of static routing.
Explanation:
IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing (choice D). Choices B and C do not have any relation to IP spoofing attacks. If a packet has a broadcast destination address (choice B), it will be sent to all addresses in the subnet. Turning on the reset flag (RST) (choice C) is part of the normal procedure to end a TCP connection.
7.
To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:
A. Secure Shell (SSH-2) tunnel for the duration of the problem.
B. two-factor authentication mechanism for network access.
C. dial-in access.
D. virtual private network (VPN) account for the duration of the vendor support contract.
Explanation:
For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve thesame level of security as SSH-2.
8.
What is the BEST approach to mitigate the risk of a phishing attack?
A. implement an intrusion detection system (IDS)
B. Assess web site security
C. Strong authentication
D. User education
Explanation:
Phishing attacks can be mounted in various ways; intrusion detection systems (IDSs) and strong authentication cannot mitigate most types of phishing attacks. Assessing web site security does not mitigate the risk. Phishing uses a server masqueradingas a legitimate server. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pagesand e-mail.
9.
A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the:
A. date and time stamp of the message.
B. identity of the originating computer.
C. confidentiality of the message’s content.
D. authenticity of the sender.
Explanation:
The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and,therefore , does not assure confidentiality.
10.
The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:
A. outgoing traffic with IP source addressesexterna! to the network.
B. incoming traffic with discernible spoofed IP source addresses.
C. incoming traffic with IP options set. D. incoming traffic to critical hosts.
Explanation:
Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.
No comments:
Post a Comment